What Is Forefront TMG?

Forefront Threat Management Gateway (TMG) 2010 is an integrated edge security gateway from Microsoft. It is a Common Criteria certified (EAL4+) enterprise-class application-layer firewall that includes support for proxy services (forward and reverse proxy), content caching, and VPN (both site-to-site and remote access). Forefront TMG is licensed per processor; no client access licenses are required. It can be deployed in all of these roles, or any subset of them.

Forefront TMG 2010 can also be deployed as a secure mail relay. The Exchange Edge Transport role (Exchange 2007 SP2 and later) and Forefront Protection for Exchange (FPE) be installed directly on the Forefront TMG firewall. This allows for perimeter host consolidation and streamlined management, as e-mail policy and spam filtering are configured with a single interface – the TMG management console.

Virtual Private Networking

Virtual Private Networking (VPN) for both remote access and site-to-site are both included with Forefront TMG 2010. Fore remote access VPN, Forefront TMG supports three protocols – PPTP, L2TP, and SSTP. SSTP is a compelling new VPN protocol supported in Windows Vista SP1 and later clients. It uses SSL and is very firewall friendly. For site-to-site VPN, TMG supports PPTP, L2TP, and IPsec tunnel. IPsec tunnel is commonly used to terminate tunnel endpoints between TMG and third-party VPN products such as Juniper, Checkpoint, and Cisco.

Network Placement

The Forefront TMG networking model is very flexible, allowing it to be deployed as an edge firewall, back firewall, or internal firewall. Multiple perimeter (DMZ) networks can be configured, allowing for traffic segmentation and granular access control. Forefront TMG can also be configured as a dedicated unihomed proxy (transparent or explicit) in an existing perimeter network.